“Uneasy lies the head that wears a crown.” William Shakespeare, Henry IV¹
Cyberattacks on colleges and universities can slow research, expose sensitive data, erode trust, and bring about intense public scrutiny. While the campus information security team handles the technical aspects of incident response and recovery, they may tap an institution’s executive leaders to participate in the incident response process if an incident reaches a significant criticality level, requires significant external, resources, impacts multiple departments, or has potential legal, financial, or reputational consequences. At this point, executive leaders must provide strategic direction to the incident response team, often making decisions that require balancing institutional risk, legal exposure, reputation, and campus community safety.
No institution or leader can prepare in advance for every type of cybersecurity incident. However, you can use your tried-and-true critical problem-solving skills to navigate this high-stakes leadership moment. Keep these tips in mind for when, not if, your institution encounters its next cybersecurity emergency.
Framing the Big Picture Quickly
When a cybersecurity incident strikes, institutional leaders must first understand its scope in business, not technical terms. What critical academic, research, and administrative functions or data are affected by the incident? What legal, regulatory, or contractual obligations are in play? What is the potential reputational fallout? What is the impact on the campus community’s ability to go about their daily activities?
Quickly framing the problem at a strategic level, even when technical details are still emerging, helps your campus community understand why certain response actions take priority and how your response strategy aligns with institutional values and obligations. Keeping your view on the strategic level also shows your commitment to protecting students, faculty, and staff, safeguarding data, upholding privacy, and maintaining the trust of the campus community. Painting the big picture quickly helps set the tone for the technical incident response team, your institutional leadership team, and the campus community.
Prioritizing Competing Risks and Interests
Cybersecurity incidents often force institutional leaders to navigate difficult trade-offs. Should you prioritize restoring student services even if it delays forensic investigation? Do you pay a ransom to recover data quickly, or toe the line against demands that hold your data hostage? Should communications to the campus community be immediate and transparent, or more measured as facts are verified?
Strong risk-balancing skills are essential. As a leader, you must understand your institution’s risk appetite to balance operational urgency, potential legal exposure, ethical considerations, and potential long-term implications from the incident. You may also need to coach your leadership team on how to feel comfortable making quick decisions with limited or incomplete data. Understanding the trade-offs you are making and prioritizing competing risks is essential.
Enabling Cross-Functional Coordination
Incident response is multidisciplinary. While your campus information security team is at the center of technical response activities, the guidance of other institutional departments like legal counsel, internal audit, marketing and communications, academic leadership, public safety, and sometimes even external partners, may be required. As an institutional leader, you are key to ensuring additional parties come to the table and work together effectively. This means:
- Clarifying roles and decision-making authority.
- Breaking down silos to ensure smooth information flow.
- Keeping everyone aligned with the institution’s broader goals and risk appetite.
When coordination fails, response efforts can stall or, even worse, different functions may actively work against each other.
Communicating Clearly and Credibly
In a crisis, clear and credible communication is paramount. Campus and community stakeholders such as students, faculty, staff, parents, trustees, alumni, regulators, and the media will demand answers and reassurance. As the institution’s leader, your words carry weight. You need to:
- Deliver timely updates, even when full details are not yet available.
- Acknowledge uncertainty honestly.
- Maintain transparency without sharing sensitive details that could compromise the institution’s response to the incident.
- Acknowledge when early information was inaccurate and how you are adjusting to new details.
How you communicate can strengthen or damage trust, both during the incident and throughout recovery activities.
Fostering a Culture of Learning and Improvement
Finally, effective incident response doesn’t end when IT systems and data are back online. A crucial part of your role is championing a thorough and candid post-incident review. This review is not about assigning blame. Instead, it is about understanding what worked during the institution’s response to the incident, what didn’t, whether the right resources were available, and how the institution can better strengthen its preparedness for next time.
Encourage your teams to be honest and forward-looking in the post-incident review. Invest in training, governance improvements, and (where needed) culture change to learn from the post-incident review and ensure that campus incident response activities mature.
“All things are ready, if our mind be so.” William Shakespeare, Henry V
How to Prepare Now
Effective institutional leadership during a cybersecurity incident shouldn’t start when the crisis hits. It starts now. Here are practical steps you can take today to ensure you are ready when an incident occurs:
- Understand Your Campus Cybersecurity Incident Response Plan
Review your institution’s current incident response plan. What types of incidents will need executive leadership? When called upon, do you know your role within the incident response process? Are roles and responsibilities for leadership, partners, and others clearly defined? Ensure that the plan is up-to-date and accurately reflects your institution’s current structure and risk profile. - Build Relationships Across Functions
Strong relationships are critical in a crisis. Take time now to strengthen connections within your leadership team and with your IT, legal, communications, compliance, and academic affairs colleagues. Talk to these teams about your expectations for all leaders during a cybersecurity incident. Knowing who to call for advice and expertise can save time during a crisis - Participate in Tabletop Exercises
Ask to be included in cybersecurity tabletop exercises. These simulations are not just for technical teams—they are invaluable for practicing decision-making, clarifying roles, and identifying gaps in preparedness. If your institution hasn’t conducted a cybersecurity tabletop exercise, make the funds and resources available to conduct one soon. You will also want to ensure that exercise scenarios reflect the real risks that your institution faces. - Clarify Communication Protocols
Confirm who handles internal and external communications during an incident and review templates and messaging plans. Ask how your office will stay informed and how you will provide input when high-profile decisions need to be made. Make sure that everyone taking part in incident response understands who is authorized to make statements to the media, campus community, and law enforcement. - Assess Critical Priorities
Work with your campus leadership team to identify your institution’s most critical systems and data. Understand the business impacts of downtime for key functions like student services, research systems, payroll, and ensure these are reflected in response planning. Also, keep in mind the campus calendar: some academic systems might be more critical at the beginning and end of semesters, while other business systems might be more important at the beginning or end of fiscal periods. - Champion a Culture of Cybersecurity
Promote a campus culture that takes cybersecurity seriously. Support regular cybersecurity hygiene training for students, faculty, and staff, and ensure that cybersecurity is a regular agenda item at leadership discussions. When leaders prioritize cybersecurity, it signals to the entire campus that protecting data, systems, and people is a shared responsibility, not just an IT issue.
Cybersecurity incident response can be complex, but strong leadership can guide an institution through incidents with confidence. By honing problem-solving skills and building preparedness now, campus leaders can ensure a more effective response when crises arise. The steps you take today will shape your institution’s cyber resilience and reputation for the future.
¹Turns out that William Shakespeare had a lot of pithy things to say about cybersecurity incident response.
This post was co-authored by Senior Principal and Partner Joanna Lyn Grama, JD, CISSP, who works with clients to examine and improve their cybersecurity, data privacy programs, technology governance, and compliance.
Need Help?
Our team of higher education experts is available to facilitate enhanced cybersecurity preparedness and other services with your organization.